b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\n\n    Subject:\n\n\n                FEDERAL INFORMATION SECURITY\n                   MANAGEMENT ACT AUDIT\n                            FY 2011\n\n                                           Report No. 4A-CI-00-11-009\n\n\n                                           Date:              November 9, 2011\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                               Washington, DC 20415\n\n\n  Office of the\nInspector General\n\n\n\n\n                                              Audit Report\n\n\n\n                           U.S. OFFICE OF PERSONNEL MANAGEMENT\n                            -------------------------------------------------------------\n\n                    FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT\n                                               FY 2011\n                                    --------------------------------\n                                      WASHINGTON, D.C.\n\n\n\n\n                                    Report No. 4A-CI-00-11-009\n\n\n                                    Date:          November 9, 2011\n\n\n\n\n                                                                      Michael R. Esser\n                                                                      Assistant Inspector General\n                                                                        for Audits\n\n\n\n\n      www.opm.gov                                                                           www.usajobs.gov\n\x0c                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                                Washington, DC 20415\n\n\n  Office of the\nInspector General\n\n\n\n                                         Executive Summary\n\n\n\n                            U.S. OFFICE OF PERSONNEL MANAGEMENT\n                             -------------------------------------------------------------\n\n                    FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT\n                                               FY 2011\n                                    --------------------------------\n                                      WASHINGTON, D.C.\n\n\n\n\n                                     Report No. 4A-CI-00-11-009\n\n\n                                     Date:          November 9, 2011\n\n      This audit report documents the Office of Personnel Management\xe2\x80\x99s (OPM\xe2\x80\x99s) continued efforts to\n      manage and secure its information resources. We have significant ongoing concerns regarding\n      the overall quality of the information security program at OPM.\n\n      In fiscal year (FY) 2007 and FY 2008, we reported a material weakness in controls over the\n      development and maintenance of OPM\xe2\x80\x99s information technology (IT) security policies. In FY\n      2009, we issued a Flash Audit Alert to OPM\xe2\x80\x99s Director highlighting our concerns with the\n      agency\xe2\x80\x99s IT security program. We also expanded the material weakness related to IT security\n      policies to include concerns with the agency\xe2\x80\x99s overall information security governance and its\n      information security management structure. This material weakness was rolled forward through\n      FY 2010.\n\n      In FY 2011, OPM\xe2\x80\x99s Office of the Chief Information Officer (OCIO) made progress in updating\n      its IT security and privacy policies, procedures, and guidance. However, the OCIO continues to\n      operate with a decentralized IT security structure and does not have the authority or the resources\n      available to adequately implement the new policies. We continue to believe that information\n      security governance represents a material weakness in OPM\xe2\x80\x99s IT security program.\n\n                                                         i\n      www.opm.gov                                                                            www.usajobs.gov\n\x0cIn FY 2010, we added a second material weakness related to the management of the Certification\nand Accreditation (C&A) process. We reported that there were, in our opinion, three root causes\nof OPM\xe2\x80\x99s C&A issues: insufficient staffing in the IT Security and Privacy Group, a lack of\npolicy and procedures, and the decentralized DSO model in place at OPM.\n\nIn FY 2011, the OCIO improved the policy deficiencies by publishing updated procedures and\ntemplates designed to improve the overall C&A process (now referred to as Security Assessment\nand Authorization or Authorization process) and dedicating resources to facilitating the\nAuthorization process. We observed an improvement in the Authorization packages completed\nunder this new process, and believe that this improvement warrants reducing the material\nweakness related to C&As to a significant deficiency. Although no longer a material weakness,\nthe Authorization process continues to be hindered by limited OCIO staffing resources and the\ndecentralized DSO model.\n\nIn addition to the material weaknesses described above, we noted the following controls in place\nand opportunities for improvement:\n\xe2\x80\xa2   The OCIO has implemented risk management procedures at a system-specific level, but has\n    not developed an agency-wide risk management methodology.\n\xe2\x80\xa2   The IT security controls were adequately tested for only 36 of 48 information systems in\n    OPM\xe2\x80\x99s inventory.\n\xe2\x80\xa2   The OCIO has implemented an agency-wide information system configuration management\n    policy and has established configuration baselines for all operating platforms used by the\n    agency.\n\xe2\x80\xa2   The OCIO routinely conducts vulnerability scans of production servers, but does not have a\n    formal process for tracking the status of weaknesses identified through the scanning.\n\xe2\x80\xa2   The OCIO has developed thorough incident response and reporting capabilities.\n\xe2\x80\xa2   The OCIO has implemented a process to provide annual IT security and privacy awareness\n    training to all OPM employees and contractors. However, controls related to providing\n    specialized security training to individuals with information security responsibility could be\n    improved.\n\xe2\x80\xa2   Plans of Action and Milestones are appropriately managed for all information systems in\n    OPM\xe2\x80\x99s inventory. The OCIO has the capability to use two-factor authentication for remote\n    access, but this control was not enforced for all users in FY 2011.\n\xe2\x80\xa2   We found that several OPM employees maintained network access after their termination\n    date, and several users had multiple accounts.\n\xe2\x80\xa2   The OCIO has taken steps toward implementing a continuous monitoring program at OPM;\n    however, this project remains a work in progress.\n\xe2\x80\xa2   The OCIO developed a catalog of information security controls that are shared (\xe2\x80\x9ccommon\xe2\x80\x9d)\n    with all of the agency\xe2\x80\x99s applications. However, the current version of the catalog is\n    incomplete, as it does not account for the large number of technical controls that are common\n    to applications residing on one of OPM\xe2\x80\x99s several general support systems. As a result, the\n\n\n\n                                                 ii\n\x0c    owner of each application residing on a support system must independently test the same\n    controls.\n\xe2\x80\xa2   The contingency plans were adequately tested for only 40 of 48 information systems in\n    OPM\xe2\x80\x99s inventory.\n\xe2\x80\xa2   We noticed inconsistency in the quality of contingency plan testing documentation produced\n    for various OPM systems. In September 2011, the OCIO issued detailed guidance to\n    program offices on how to conduct a contingency plan test and create an after action report.\n    As part of the FY 2012 FISMA audit, we will test the impact that this new guidance has on\n    the quality of system level contingency plan tests.\n\xe2\x80\xa2   Contingency plan/disaster recovery tests are not coordinated between OPM\xe2\x80\x99s various general\n    support systems.\n\xe2\x80\xa2   OPM program offices appeared to provide an adequate level of oversight to contractor-\n    operated systems. However, the techniques and quality of this oversight was inconsistent\n    between program offices.\n\xe2\x80\xa2   OPM maintains an adequate security capital planning and investment program for\n    information security.\n\n\n\n\n                                               iii\n\x0c                                                                Contents\n                                                                                                                                            Page\n\n\n  Executive Summary .................................................................................................................... i\n  Introduction ................................................................................................................................ 1\n  Background ................................................................................................................................ 1\n  Objectives ................................................................................................................................... 1\n  Scope and Methodology ............................................................................................................. 2\n  Compliance with Laws and Regulations .................................................................................... 3\n  Results ........................................................................................................................................ 4\n       I. Information Security Governance .................................................................................... 4\n      II. Security Assessment and Authorization .......................................................................... 7\n     III. Risk Management ............................................................................................................ 9\n     IV. Configuration Management ........................................................................................... 12\n      V. Incident Response and Reporting .................................................................................. 14\n    VI. Security Training ........................................................................................................... 15\n    VII. Plan of Action and Milestones ....................................................................................... 16\n  VIII. Remote Access Management ......................................................................................... 17\n     IX. Identity and Access Management .................................................................................. 18\n      X. Continuous Monitoring Management ............................................................................ 20\n    XI. Contingency Planning .................................................................................................... 21\n    XII. Contractor Systems ........................................................................................................ 23\n   XIII. Security Capital Planning .............................................................................................. 24\n  XIV. Follow-up of Prior OIG Audit Recommendations......................................................... 24\n  Major Contributors to this Report ............................................................................................ 30\n\nAppendix I:         Status of Prior OIG Audit Recommendations\n\nAppendix II: Office of the Chief Information Officer\xe2\x80\x99s October 21, 2011 response to the draft\n             audit report, issued October 3, 2011.\nAppendix III: FY 2011 Inspector General FISMA reporting metrics.\n\x0c                                         Introduction\nOn December 17, 2002, the President signed into law the E-Government Act (Public Law 107-\n347), which includes Title III, the Federal Information Security Management Act (FISMA).\nFISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG)\nevaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of\nIG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing\nthe material received from agencies. In accordance with FISMA, we conducted an evaluation of\nOPM\xe2\x80\x99s security program and practices. As part of our evaluation, we reviewed OPM\xe2\x80\x99s FISMA\ncompliance strategy and documented the status of its compliance efforts.\n\n                                         Background\nFISMA requirements pertain to all information systems supporting the operations and assets of\nan agency, including those systems currently in place or planned. The requirements also pertain\nto information technology (IT) resources owned and/or operated by a contractor supporting\nagency systems.\n\nFISMA reemphasizes the Chief Information Officer\xe2\x80\x99s strategic, agency-wide security\nresponsibility. At OPM, security responsibility is assigned to the agency\xe2\x80\x99s Office of the Chief\nInformation Officer (OCIO). FISMA also clearly places responsibility on each agency program\noffice to develop, implement, and maintain a security program that assesses risk and provides\nadequate security for the operations and assets of programs and systems under its control.\n\nTo assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the\nDepartment of Homeland Security (DHS) National Cyber Security Division issued the fiscal year\n(FY) 2011 Inspector General FISMA Reporting Instructions. This document provides a\nconsistent form and format for agencies to report to DHS. It identifies a series of reporting\ntopics that relate to specific agency responsibilities outlined in FISMA. Our audit and reporting\nstrategies were designed in accordance with the above DHS guidance.\n\n                                          Objectives\nOur overall objective was to evaluate OPM\xe2\x80\x99s security program and practices, as required by\nFISMA. Specifically, we reviewed the status of the following areas of OPM\xe2\x80\x99s IT security\nprogram in accordance with DHS\xe2\x80\x99s FISMA IG reporting requirements:\n   \xe2\x80\xa2   Risk Management;\n   \xe2\x80\xa2   Security Configuration Management;\n   \xe2\x80\xa2   Incident Response and Reporting Program;\n   \xe2\x80\xa2   Security Training Program;\n   \xe2\x80\xa2   Plans of Action and Milestones (POA&M) Program;\n   \xe2\x80\xa2   Remote Access Program;\n   \xe2\x80\xa2   Identity and Access Management;\n   \xe2\x80\xa2   Continuous Monitoring Program;\n   \xe2\x80\xa2   Contingency Planning Program;\n\n\n                                                1\n\x0c   \xe2\x80\xa2   Agency Program to Oversee Contractor Systems; and,\n   \xe2\x80\xa2   Agency Security Capital Planning Program.\n\nIn addition, we evaluated the status of OPM\xe2\x80\x99s IT security governance structure and its Security\nAssessment and Authorization process. These two areas represented material weaknesses in\nOPM\xe2\x80\x99s IT security program in prior FISMA audits.\n\nWe also evaluated the security controls of four major applications/systems at OPM (see Scope\nand Methodology for details of these audits). We also followed-up on outstanding\nrecommendations from prior FISMA audits (see Appendix I).\n\n                                  Scope and Methodology\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. The audit covered OPM\xe2\x80\x99s\nFISMA compliance efforts throughout FY 2011.\n\nWe reviewed OPM\xe2\x80\x99s general FISMA compliance efforts in the specific areas defined in DHS\xe2\x80\x99s\nguidance and the corresponding reporting instructions. We also evaluated the security controls\nfor the following major applications:\n   \xe2\x80\xa2   Enterprise Server Infrastructure General Support System (OIG Report No. 4A-CI-00-11-\n       016);\n   \xe2\x80\xa2   Consolidated Business Information System (OIG Report No. 4A-CF-00-11-015);\n   \xe2\x80\xa2   Presidential Management Fellows System (OIG Report No. 4A-HR-00-11-017); and,\n   \xe2\x80\xa2   Center for Talent Services General Support System (OIG Report No. 4A-CI-00-11-043).\n\nWe considered the internal control structure for various OPM systems in planning our audit\nprocedures. These procedures were mainly substantive in nature, although we did gain an\nunderstanding of management procedures and controls to the extent necessary to achieve our\naudit objectives. Accordingly, we obtained an understanding of the internal controls for these\nvarious systems through interviews and observations, as well as inspection of various documents,\nincluding information technology and other related organizational policies and procedures. This\nunderstanding of these systems\xe2\x80\x99 internal controls was used to evaluate the degree to which the\nappropriate internal controls were designed and implemented. As appropriate, we conducted\ncompliance tests using judgmental sampling to determine the extent to which established\ncontrols and procedures are functioning as required.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nOPM. Due to time constraints, we did not verify the reliability of the data generated by the\nvarious information systems involved. However, we believe that the data was sufficient to\nachieve the audit objectives, and nothing came to our attention during our audit testing to cause\nus to doubt its reliability.\n\n\n\n                                                2\n\x0cSince our audit would not necessarily disclose all significant matters in the internal control\nstructure, we do not express an opinion on the set of internal controls for these various systems\ntaken as a whole.\n\nThe criteria used in conducting this audit include:\n\xe2\x80\xa2   DHS National Cyber Security Division FY 2011 Inspector General Federal Information\n    Security Management Act Reporting Instructions;\n\xe2\x80\xa2   OPM Information Technology Security and Privacy Policy Handbook;\n\xe2\x80\xa2   OPM Information Technology Security FISMA Procedures;\n\xe2\x80\xa2   OPM Security Assessment and Authorization Guide;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2   OMB Memorandum M-06-16, Protection of Sensitive Agency Information;\n\xe2\x80\xa2   OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to\n    Federal Information Systems;\n\xe2\x80\xa2   NIST SP 800-39, Managing Information Security Risk;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-60 Version 2.0 Volume II, Guide for Mapping Types of Information and\n    Information Systems to Security Categories;\n\xe2\x80\xa2   Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and,\n\xe2\x80\xa2   Other criteria as appropriate.\n\nThe audit was performed by the OIG at OPM, as established by the Inspector General Act of\n1978, as amended. Our audit was conducted from May through September 2011 in OPM\xe2\x80\x99s\nWashington, D.C. office.\n\n                        Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OPM\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nOPM\xe2\x80\x99s OCIO and other program offices were not in complete compliance with all standards, as\ndescribed in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report.\n\n\n                                                 3\n\x0c                                          Results\nThe sections below detail the results of our FY 2011 FISMA audit of OPM\xe2\x80\x99s IT Security\nProgram. Several recommendations were issued in FY 2010 and are rolled forward from OIG\nreport no. 4A-CI-00-10-019, \xe2\x80\x9cFederal Information Security Management Act Audit \xe2\x80\x93 FY 2010.\xe2\x80\x9d\n\nI.    Information Security Governance\n      Over the past fiscal year OPM\xe2\x80\x99s OCIO has made progress in updating its IT security and\n      privacy policies, procedures, and guidance. However, the existence of policies alone\n      cannot improve the agency\xe2\x80\x99s IT security program. The OCIO continues to operate with a\n      decentralized IT security structure and does not have the resources available to\n      adequately implement the new policies. We continue to believe that information security\n      governance represents a material weakness in OPM\xe2\x80\x99s IT security program.\n\n      The sections below outline the OIG\xe2\x80\x99s review of IT security governance at OPM.\n\n      a) IT Security Policies and Procedures\n\n          OPM\xe2\x80\x99s failure to adequately update its IT security and privacy policies and\n          procedures was highlighted in the past five annual OIG FISMA audit reports, and was\n          identified as a material weakness in the agency\xe2\x80\x99s IT security program in the past four\n          FISMA audit reports.\n\n          In FY 2011, the OCIO created and published several new documents that provide a\n          policy framework for OPM\xe2\x80\x99s IT security program, including:\n          \xe2\x80\xa2   Information Security and Privacy Policy Handbook (March 2011);\n          \xe2\x80\xa2   Information Technology Security FISMA Procedures (May 2011); and,\n          \xe2\x80\xa2   OPM Security Assessment and Authorization Guide (April 2011).\n\n          These three documents address many of the policies and procedures that we had\n          identified as missing or inadequate in prior FISMA audits. However, the creation of\n          policies and procedures alone does not improve an IT security program. They must\n          be fully adopted by the target audience, in this case the Designated Security Officer\n          (DSO) community. Given the decentralized structure of OPM\xe2\x80\x99s IT security program,\n          it is questionable whether the DSOs have the skills and resources necessary to\n          implement the new policies and procedures.\n\n          The quantity of IT security deficiencies outlined in this audit report indicate that,\n          despite the existence of policies, limited improvement has been made in the overall\n          security program to date. It remains to be seen whether the new policy and procedure\n          framework will lead to notable improvements in the future.\n\n          While the majority of missing policies and procedures have now been created, we\n          identified several specific areas where OPM continues to lack adequate IT policies,\n          procedures, or guidance, including:\n\n\n                                              4\n\x0c   \xe2\x80\xa2   Policy and procedures related to oversight of systems operated by a contractor;\n   \xe2\x80\xa2   Policy on agency-wide risk management (see Recommendation 5);\n   \xe2\x80\xa2   Policy related to roles and responsibilities for the Independent Verification and\n       Validation (IV&V) process and procedures for managing an IV&V; and,\n   \xe2\x80\xa2   Policy or guidance for identifying and continuously monitoring high risk security\n       controls.\n   Recommendation 1\n   We recommend that the OCIO develop policies to address oversight of contractor\n   systems, agency-wide risk management, IV&V, and continuous monitoring of high\n   risk security controls.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO partially concurs with this recommendation and offers clarifying\n   remarks in order to present a more current interpretation. The policies in the IT\n   Security Handbook dated March 31, 2011 apply to all OPM systems including those\n   at contractor facilities and therefore a new policy for oversight of contractor\n   systems is not necessary. The CIO believes that new policies for IV&V and\n   continuous monitoring of high risk security controls should be developed and\n   would be beneficial to the OPM security program.\xe2\x80\x9d\n\n   OIG Reply:\n   Although OPM\xe2\x80\x99s IT Security Handbook may apply to contractors, we determined that\n   the techniques and quality of oversight provided to contractor systems was\n   inconsistent between program offices. This inconsistency is the result of OPM not\n   having an agency-wide policy providing program offices guidance on overseeing the\n   activities of contractors operating OPM systems. We continue to recommend that the\n   OCIO develop policies to address oversight of contractor systems, IV&V, and\n   continuous monitoring of high risk security controls.\n\nb) Information Security Management Structure\n\n   The FY 2010 FISMA report highlighted the fact that OPM had operated without a\n   permanent Senior Agency Information Security Officer (SAISO) for over 18 months\n   and that the SAISO\xe2\x80\x99s Information Technology Security and Privacy Group (ITSPG)\n   did not have the resources necessary to adequately manage OPM\xe2\x80\x99s IT security\n   program.\n\n   The OCIO had a permanent SAISO throughout FY 2011 and also hired several new\n   employees and contractors to work in the ITSPG. However, the quantity and variety\n   of audit recommendations throughout this report indicates that the OCIO continues to\n   lack the resources necessary to remediate long standing IT security weaknesses and\n   fully implement the recently developed policies and procedures. In addition, 18 audit\n   recommendations from FY 2010 were not adequately addressed in FY 2011. We\n   believe that a major factor contributing to these problems is the OCIO\xe2\x80\x99s lack of direct\n\n\n\n                                        5\n\x0cauthority over the DSO community tasked with managing the security of OPM\xe2\x80\x99s\nmajor information systems.\n\nOPM chose to implement a decentralized model in which the DSOs are typically\nappointed by and report to the program offices that own major computer systems.\nVery few of the DSOs have any background in information security, and most are\nonly managing their security responsibilities as a collateral duty to their primary job\nfunction. The OCIO continues to provide guidance to the DSO community through\nmonthly Information Technology Security Working Group (ITSWG) meetings.\nHowever, these meetings provide limited benefit because 1) the OCIO has no\nauthority over the DSOs and cannot mandate their attendance at the ITSWG\nmeetings, and 2) not all DSOs have the technological skills or the resources required\nto implement the security concepts discussed at these meetings.\n\nSeveral sections of this report exemplify the impact of the OCIO\xe2\x80\x99s lack of authority\nover DSOs, including:\n\xe2\x80\xa2   The IT security controls of only 36 of 48 systems in OPM\xe2\x80\x99s inventory were\n    adequately tested in FY 2011 by the program offices owning the system (see\n    section III, below).\n\xe2\x80\xa2   The contingency plans were adequately tested for only 40 of 48 systems in\n    OPM\xe2\x80\x99s inventory (see section XI, below). Of the contingency plans that were\n    tested, the quality varied greatly between tests conducted by various program\n    offices.\n\xe2\x80\xa2   Only 75% of personnel that the OCIO identified as having significant IT security\n    responsibility received adequate training in FY 2011 (see section VI, below).\n\nIT security is a shared responsibility between the OCIO and program offices. The\nOCIO is responsible for overall information security governance while program\noffices are responsible for the security of the systems that they own. There is a\nbalance that must be maintained between a consolidated and a distributed approach to\nmanaging IT security. It is still our opinion that OPM\xe2\x80\x99s approach is too\ndecentralized. OPM program offices should continue to be responsible for\nmaintaining security of the systems that they own, but the DSO responsibility for\ndocumenting, testing, and monitoring system security should be centralized within the\nOCIO.\n\nRecommendation 2 (Rolled-Forward from 2010)\nWe recommend that OPM implement a centralized information security governance\nstructure where all information security practitioners, including designated security\nofficers, report to the SAISO. Adequate resources should be assigned to the OCIO to\ncreate this structure. Existing designated security officers who report to their\nprogram offices should return to their program office duties. The new staff that\nreports to the SAISO should consist of experienced information security\nprofessionals.\n\n\n\n\n                                     6\n\x0c         OCIO Response:\n         \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following remarks.\n         The CIO\xe2\x80\x99s budget does not contain funding to replace the Designated Security\n         Officers with information security professionals. One possible suggestion is to\n         require OPM program offices to provide funding for the CIO to hire information\n         security professionals.\xe2\x80\x9d\n\n         OIG Reply:\n         We acknowledge the fact that the OCIO does not currently have funding to hire\n         enough security professionals to manage all of OPM\xe2\x80\x99s information systems.\n         Migrating OPM to a more centralized IT security function will require the\n         cooperation of the program offices that own the agency\xe2\x80\x99s major applications. The\n         OCIO should seek the assistance of the OPM Director in negotiating with program\n         offices to transfer responsibility of some security functions to a centralized group\n         reporting to the CIO. Although this initiative will take an extended amount of time,\n         the OCIO should begin working with the owners of applications it determines to be\n         high risk, such as financial systems and applications containing large amounts of\n         sensitive data.\n\nII.   Security Assessment and Authorization (formerly Certification and\n      Accreditation)\n      System certification is a comprehensive assessment that attests that a system\xe2\x80\x99s security\n      controls are meeting the security requirements of that system, and accreditation is the\n      official management decision to authorize operation of an information system and accept\n      its risks. OPM\xe2\x80\x99s process of certifying a system\xe2\x80\x99s security controls was formerly referred\n      to as Certification and Accreditation (C&A), and is now referred to as Security\n      Assessment and Authorization (Authorization).\n\n      Our FY 2008 and FY 2009 FISMA audit reports stated that weaknesses in OPM\xe2\x80\x99s C&A\n      process were a significant deficiency in the internal control structure of the agency\xe2\x80\x99s IT\n      security program. The weaknesses cited related to inadequate management of the process\n      and incomplete, inconsistent, and poor quality C&A products. In FY 2010, these\n      longstanding conditions continued to degrade, and as a result, they were reported as a\n      material weakness in OPM\xe2\x80\x99s IT security program.\n\n      We reported that there were, in our opinion, three root causes of OPM\xe2\x80\x99s C&A issues:\n      insufficient staffing in the IT Security and Privacy Group, a lack of policy and\n      procedures, and the decentralized DSO model in place at OPM.\n\n      In FY 2011, the OCIO improved the policy deficiencies by publishing updated\n      procedures and templates designed to improve the overall Authorization process and\n      dedicating resources to facilitating Authorizations. We observed an improvement in the\n      Authorization packages completed under this new process, and believe that this\n      improvement warrants reducing the material weakness related to C&As to a significant\n\n\n                                              7\n\x0cdeficiency. Although no longer a material weakness, the Authorization process continues\nto be hindered by limited OCIO staffing resources and the decentralized DSO model (see\nsection I, above).\n\nThe sections below provide a detailed evaluation of OPM\xe2\x80\x99s Authorization process.\n\na) Security Assessment and Authorization policy\n\n   In January 2011, the OCIO published a Security Assessment and Authorization Guide\n   and several other procedures and templates that provide guidance to program offices\n   certifying the security controls of each system. The OCIO has created and published\n   guidance for completing the following elements of an Authorization:\n   \xe2\x80\xa2   Information System Security Plan;\n   \xe2\x80\xa2   FIPS 199 Security Categorization;\n   \xe2\x80\xa2   Security Assessment Plan;\n   \xe2\x80\xa2   Contingency Plan;\n   \xe2\x80\xa2   Risk Assessment;\n   \xe2\x80\xa2   System Registration;\n   \xe2\x80\xa2   E-Authentication Assessment;\n   \xe2\x80\xa2   System Security Plan; and,\n   \xe2\x80\xa2   Interconnection Security Agreement.\n\n   We believe that the Security Assessment and Authorization Guide provides adequate\n   guidance for certifying the security controls of information systems.\n\nb) Quality and consistency of Authorization packages\n\n   The OIG reviewed the full Authorization packages of five systems that were subject\n   to an Authorization after the OCIO issued the updated Security Assessment and\n   Authorization Guide. The quality of all five packages appeared to be an improvement\n   over security certifications completed under the former C&A process. However, as\n   noted with C&A packages completed in the last several years, we continued to\n   observe a wide range in quality between Authorization packages completed by\n   various program offices (the specific problems and inconsistencies were provided to\n   the OCIO but will not be detailed in this report).\n\n   The development of an Authorization package is the responsibility of the OPM\n   program office that owns the system. Each program office assigns a DSO to manage\n   the security of its systems. The decentralized nature of the DSO community at OPM\n   means that individuals with varying skill sets are tasked with Authorization related\n   responsibilities often as a collateral duty in addition to their normal job function. The\n   existence of Authorization policies and procedures cannot be fully leveraged unless\n   the individuals implementing them are consistently trained and dedicated to this\n   function.\n\n\n\n\n                                         8\n\x0c          Recommendation 3\n          We recommend that the OCIO work with program offices to correct the specific\n          errors that the OIG identified in the Authorization packages reviewed in FY 2011.\n\n          OCIO Response:\n          \xe2\x80\x9cThe CIO Concurs with this recommendation and will take corrective action.\xe2\x80\x9d\n\n       c) OCIO Management of the Authorization process\n\n          The OCIO is responsible for assisting program offices in the development of\n          Authorization packages for their systems. OPM\xe2\x80\x99s Security Assessment and\n          Authorization Guide also mandates OCIO involvement in all stages of the\n          Authorization process for quality and completeness before recommending the system\n          for authorization. In FY 2011, two full time resources were hired to review\n          Authorization packages along with other IT security responsibilities. The most\n          notable improvement made to the Authorization process was the implementation of\n          three \xe2\x80\x9cdecision points\xe2\x80\x9d at various steps of the Authorization process. At each\n          decision point, representatives from the OCIO must review the work that has been\n          completed and formally approve continuation of the Authorization process.\n\n          While we recognize the progress the OCIO has made in managing the Authorization\n          process, we believe that there is still room for improvement. With additional\n          resources dedicated to the review of Authorization packages, the inconsistencies\n          referenced above could have been detected before the Authorization process was\n          complete.\n\n          Recommendation 4 (Rolled-Forward from 2010)\n          We recommend that the OCIO assign additional resources to facilitate the\n          Authorization process to ensure the consistency and quality of Authorization\n          packages developed by OPM program offices.\n\n          OCIO Response:\n          \xe2\x80\x9cThe CIO concurs with this recommendation and believes that additional security\n          resources could improve the security authorization process. However, funding is\n          not allocated in the CIO budget to hire additional resources.\xe2\x80\x9d\n\nIII.   Risk Management\n       NIST SP 800-37 Revision 1 \xe2\x80\x9cGuide for Applying the Risk Management Framework to\n       Federal Information Systems\xe2\x80\x9d provides federal agencies with a framework for\n       implementing an agency-wide risk management methodology. The Guide suggests that\n       risk be assessed in relation to the agency\xe2\x80\x99s goals and mission from a three tiered\n       approach: Tier 1: Organization (Governance); Tier 2: Mission/Business Process\n       (Information and Information Flows); and Tier 3: Information System (Environment of\n       Operation). NIST SP 800-39 \xe2\x80\x9cManaging Information Security Risk \xe2\x80\x93 Organization,\n\n\n                                              9\n\x0cMission, and Information System View\xe2\x80\x9d provides additional details of this three-tiered\napproach.\n\na) Agency-wide risk management\n\n   NIST SP 800-39 states that agencies should establish and implement \xe2\x80\x9cGovernance\n   structures [that] provide oversight for the risk management activities conducted by\n   organizations and include:\n   (i) the establishment and implementation of a risk executive (function);\n   (ii) the establishment of the organization\xe2\x80\x99s risk management strategy including the\n         determination of risk tolerance; and\n   (iii) the development and execution of organization-wide investment strategies for\n         information resources and information security.\xe2\x80\x9d\n\n   OPM\xe2\x80\x99s decentralized approach to IT security increases the need for an agency-wide\n   risk management methodology, as the agency\xe2\x80\x99s mission is supported by multiple\n   information systems owned by various program offices. Although the OCIO has\n   made improvements in assessing risk at the individual system level (see Security\n   Assessment and Authorization section II, above), the OCIO does not currently have a\n   formal methodology for managing risk at an organization-wide level.\n\n   In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT\n   security professionals. However, the 12 primary functions of the Risk Executive\n   Function as explained in NIST SP 800-39 section 2.3.2, Risk Executive Function, are\n   not all fully implemented.\n\n   Recommendation 5\n   We recommend that the OCIO develop policies and procedures related to managing\n   risk from an agency-wide perspective.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO does not concur with this recommendation and believes that adequate\n   policies and procedures are in place to manage risk from an agency-wide\n   perspective as documented in sections 3.1.9 and 3.1.7 of the IT Security Handbook\n   dated March 31, 2011.\xe2\x80\x9d\n\n   OIG Reply:\n   The majority of the text in sections 3.1.7 and 3.1.9 of the IT Security Handbook is\n   copied verbatim from NIST SP 800-53 Rev 3, and the handbook contains no guidance\n   on agency-wide risk management specific to OPM.\n\n   Among the limited original text in these sections of the Handbook is the statement\n   \xe2\x80\x9cOPM shall: Develop a comprehensive strategy to manage risk to OPM operations and\n   assets. . . .\xe2\x80\x9d However, the OIG has received no evidence that OPM has developed a risk\n   management strategy or the associated policies and procedures.\n\n\n                                       10\n\x0c   We continue to recommend that the OCIO develop policies and procedures related to\n   managing risk from an agency-wide perspective.\n\n   Recommendation 6\n   We recommend that the OCIO continue to develop its Risk Executive Function to\n   meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk\n   Executive (Function).\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation and will take the necessary corrective\n   action.\xe2\x80\x9d\n\nb) System specific risk management\n\n   NIST SP 800-37 Revision 1 outlines a risk management framework (RMF) that\n   contains six primary steps, including (i) the categorization of information and\n   information systems; (ii) the selection of security controls; (iii) the implementation of\n   security controls; (iv) the assessment of security control effectiveness; (v) the\n   authorization of the information system; and, (vi) the ongoing monitoring of security\n   controls and the security state of the information system.\xe2\x80\x9d\n\n   The OCIO has implemented the six step RMF into its system-specific risk\n   management activities through the new Authorization process; see section II above\n   for a description of OPM\xe2\x80\x99s Authorization methodology.\n\nc) System security control testing\n\n   Although a full Authorization package is required for each system every three years,\n   the security controls of that system must be tested on an annual basis. An annual test\n   of security controls provides a method for agency officials to determine the current\n   status of their information security programs and, where necessary, establish a target\n   for improvement.\n\n   We reviewed documentation resulting from the security controls tests for each system\n   in OPM\xe2\x80\x99s inventory. Our evaluation indicated that the IT security controls had been\n   adequately tested for only 36 of OPM\xe2\x80\x99s 48 systems during FY 2011. Failure to\n   complete a security controls test increases the risk that agency officials are unable to\n   make informed judgments to appropriately mitigate risks to an acceptable level.\n\n   OPM\xe2\x80\x99s decentralized approach to IT security places responsibility on the various\n   program offices for testing the security controls of their systems. The OCIO\xe2\x80\x99s lack of\n   authority over these program offices has contributed to the inadequate security\n   control testing of the agency\xe2\x80\x99s information systems.\n\n\n\n\n                                        11\n\x0c         Recommendation 7 (Rolled-Forward from 2008)\n         We recommend that OPM ensure that an annual test of security controls has been\n         completed for all systems.\n\n         OCIO Response:\n         \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following clarifying\n         remarks in order to present a more current interpretation. In FY2011 security\n         controls testing was completed for 41 of 48 eligible systems resulting in an 85%\n         compliance rate. In FY2012, we will continue to work with program offices to\n         ensure that security controls are tested for all eligible systems.\xe2\x80\x9d\n\n         OIG Reply:\n         We disagree that 41 out of 48 eligible systems were subject to an adequate security\n         controls test in FY 2011. The OCIO\xe2\x80\x99s count of 41 includes 4 systems that were\n         granted an extension and one system that does not have adequate support that a test\n         was conducted. We do not believe that any extensions should be granted; every\n         system must be subjected to a security controls test every fiscal year.\n\nIV.   Configuration Management\n      The sections below detail the controls OPM has in place regarding the technical\n      configuration management of its major applications and user workstations.\n\n      a) Agency-wide security configuration policy\n\n         OPM\xe2\x80\x99s OCIO has implemented an agency-wide Information Security and Privacy\n         Policy Handbook that defines the requirements necessary to meet the fundamental\n         security and privacy objectives of confidentiality, integrity, and availability. The\n         handbook includes a section devoted to configuration management. The OCIO also\n         maintains a comprehensive configuration management policy that outlines the\n         process and procedures for maintaining a securely configured network environment.\n\n      b) Standard baseline configurations\n\n         The OCIO maintains standard baseline configurations and/or build sheets for all\n         operating platforms used by OPM to support major applications, including:\n         \xe2\x80\xa2   Windows Server 2000;\n         \xe2\x80\xa2   Windows Server 2003;\n         \xe2\x80\xa2   Windows Server 2008;\n         \xe2\x80\xa2   Linux;\n         \xe2\x80\xa2   Oracle; and,\n         \xe2\x80\xa2   Microsoft SQL.\n\n\n\n                                             12\n\x0c   The OCIO uses vulnerability scanning tools to routinely scan servers to ensure\n   compliance with configuration guides and baselines for these operating platforms.\n   Nothing came to our attention during this review to indicate that there are weaknesses\n   in OPM\xe2\x80\x99s baseline configuration controls.\n\nc) Vulnerability Scanning\n\n   The OCIO performs scans of all production servers using automated vulnerability\n   scanning tools. Although vulnerability scanning occurs on a continuous basis, the\n   OCIO does not have a formal process to manage weaknesses identified in the\n   scanning reports.\n\n   Daily security advisory reports are sent to OCIO managers and a weekly roll-up\n   report is generated to summarize weekly vulnerability scanning activity. Although\n   we verified that these reports are routinely distributed, we were unable to determine\n   what, if any, activity is done to review and analyze the vulnerabilities identified. At a\n   minimum we recommend implementing a vulnerability tracking methodology that\n   includes steps to:\n   \xe2\x80\xa2   identify false positives in vulnerability scanning reports;\n   \xe2\x80\xa2   identify and document vulnerabilities that the agency \xe2\x80\x9caccepts\xe2\x80\x9d and does not\n       intend to fix; and,\n   \xe2\x80\xa2   formally document and track the remaining vulnerabilities until they are\n       remediated.\n\n   Recommendation 8\n   We recommend that the OCIO implement a process for tracking the status of\n   weaknesses identified through vulnerability scanning.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation and will implement the necessary\n   corrective action.\xe2\x80\x9d\n\n   Recommendation 9\n   We recommend that the OCIO document \xe2\x80\x9caccepted\xe2\x80\x9d weaknesses identified in\n   vulnerability scans.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation and will implement the necessary\n   corrective action.\xe2\x80\x9d\n\nd) Management of hardware inventory\n\n   The OCIO currently maintains a centralized agency-wide hardware inventory. The\n   OCIO uses several automated tools to scan the network environment to track and\n\n\n                                        13\n\x0c        verify hardware inventories. They also maintain an inventory of all OPM owned user\n        workstations. Each workstation is cataloged before being placed into service.\n\n     e) Federal Desktop Core/United States Government Computer Baseline\n        Configuration\n\n        OPM has developed a Windows XP standard image that is generally compliant with\n        Federal Desktop Core Configuration (FDCC) standards and has documented nine\n        deviations between this image and FDCC requirements. OPM has also developed\n        and tested a United States Government Baseline Configuration compliant image for\n        all Windows 7 workstations. These images have been installed on all OPM\n        workstations with this operating system.\n\nV.   Incident Response and Reporting\n     OPM\xe2\x80\x99s \xe2\x80\x9cIncident Response and Reporting Guide\xe2\x80\x9d outlines the responsibilities of OPM\xe2\x80\x99s\n     Computer Incident Response Team (CIRT) and documents procedures for reporting all\n     IT security events to the appropriate entities. We evaluated the degree to which OPM is\n     following internal procedures and FISMA requirements for reporting security incidents\n     internally, to the United States Computer Emergency Readiness Team (US-CERT), and\n     to appropriate law enforcement authorities.\n\n     a) Identifying and reporting incidents internally\n\n        OPM\xe2\x80\x99s Incident Response and Reporting Guide requires any user of the agency\xe2\x80\x99s IT\n        resources to immediately notify OPM\xe2\x80\x99s Situation Room when IT security incidents\n        occur. The agency also currently uses two distinct intrusion detection systems to\n        monitor network traffic for abnormalities. In addition, OPM reiterates the\n        information provided in the Incident Response and Reporting Guide in the annual IT\n        security and privacy awareness training.\n\n     b) Reporting incidents to US-CERT\n\n        OPM\xe2\x80\x99s Incident Response and Reporting policy states that OPM\'s CIRT is\n        responsible for sending incident reports to US-CERT on security incidents. OPM\n        notifies US-CERT within one hour of a reportable security incident occurrence.\n\n     c) Reporting incidents to law enforcement\n\n        The Incident Response and Reporting policy states that security incidents should also\n        be reported to law enforcement authorities, where appropriate. OPM notifies the\n        OIG\xe2\x80\x99s Office of Investigations of security incidents with a monthly report outlining\n        all incidents where sensitive data was lost.\n\n\n\n\n                                            14\n\x0cVI.   Security Training\n      All OPM employees are required to take IT security awareness training on an annual\n      basis. In addition, employees with IT security responsibility are required to take\n      additional specialized training.\n\n      a) IT security awareness training\n\n         The OCIO provides annual IT security and privacy awareness training to all OPM\n         employees through an interactive web-based course. The course introduces\n         employees and contractors to the basic concepts of IT security and privacy, including\n         topics such as the importance of information security, security threats and\n         vulnerabilities, viruses and malicious code, privacy training, peer-to-peer software,\n         and the roles and responsibilities of users.\n\n         Over 99 percent of OPM\xe2\x80\x99s employees and contractors completed the security\n         awareness training course in FY 2011.\n\n      b) Specialized IT security training\n\n         Agency employees with significant information security responsibilities are required\n         to take specialized security training in addition to the annual awareness training.\n\n         The OCIO has developed a table outlining the security training requirements for\n         specific job roles by groups. The OCIO uses a spreadsheet to track the security\n         training taken by employees that have been identified as having security\n         responsibility. Of those identified, only 75 percent have completed at least one hour\n         of specialized security training in FY 2011.\n\n         Recommendation 10 (Rolled-Forward from 2010)\n         We continue to recommend that the OCIO ensure that all employees with significant\n         information security responsibility take meaningful and appropriate specialized\n         security training on an annual basis.\n\n         OCIO Response:\n         \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following clarifying\n         remarks. In FY2011, we redesigned the OPM specialized security training program\n         as part of our risk management strategy and to improve accuracy. We achieved a\n         success rate of 75% and for the first time identified and required Executives and\n         senior staff serving as Authorizing Officials and System Owners to complete the\n         required training.\xe2\x80\x9d\n\n\n\n\n                                             15\n\x0cVII. Plan of Action and Milestones\n     A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and\n     monitoring the progress of corrective efforts for IT security weaknesses. In FY 2010, the\n     OCIO developed a POA&M Guide that provides a template and instructions for system\n     owners to use in managing known IT security weaknesses. The sections below detail\n     OPM\xe2\x80\x99s effectiveness in using POA&Ms to track the agency\xe2\x80\x99s security weaknesses.\n\n     a) POA&Ms incorporate all known IT security weaknesses\n\n        In October 2010, we issued the FY 2010 FISMA audit report with 41 audit\n        recommendations. We verified that all 41 of the recommendations were\n        appropriately incorporated into the OCIO POA&M.\n\n        We reviewed 14 system POA&Ms submitted to the OCIO in FY 2011 to determine if\n        all known IT security weaknesses identified in the annual security controls tests were\n        incorporated into the quarterly POA&Ms. Nothing came to our attention to indicate\n        that program offices were not incorporating all known IT security weaknesses into\n        system POA&Ms.\n\n     b) Management of POA&Ms by program offices\n\n        OPM program offices are responsible for developing, implementing, and managing\n        POA&Ms for each system that they own and operate. We were provided evidence\n        that up-to-date POA&Ms were submitted to the OCIO on a quarterly basis for all 48\n        OPM systems.\n\n     c) Remediation plans for correcting security weaknesses\n\n        When a POA&M item is remediated, OPM program offices are required to submit a\n        work completion plan (WCP) along with evidence that the deficiency was corrected\n        to the OCIO for review. We reviewed WCPs for eight systems and found that the\n        program offices provided sufficient evidence that the weaknesses were corrected.\n        The 8 systems were selected from the 48 OPM systems and were judgmentally\n        chosen by OIG auditors. The results of the sample test were not projected to the\n        entire population.\n\n     d) Compliance with estimated dates for remediation\n\n        The POA&Ms for 10 OPM systems contain security weaknesses with remediation\n        activities over 120 days overdue. In the 3rd quarter of 2011, OPM systems had a total\n        of 36 POA&M items over 120 days overdue, an improvement from the 58 overdue\n        items during the same time period in FY 2010.\n\n        Program offices are responsible for dedicating adequate resources to addressing\n        POA&M weaknesses and meeting target objectives. In FY 2011, the OCIO provided\n\n\n                                            16\n\x0c        improved guidance to ensure that program offices assign reasonable POA&M due\n        dates and stay on track to meet those dates.\n\n     e) POA&M process prioritizes IT security weaknesses\n\n        Each program office at OPM is required to prioritize IT security weaknesses on their\n        POA&Ms to help ensure significant IT security weaknesses are addressed in a timely\n        manner. The POA&Ms for all systems in OPM\xe2\x80\x99s inventory adequately prioritized\n        security weaknesses.\n\nVIII. Remote Access Management\n     The OIG evaluated OPM\xe2\x80\x99s remote access and telecommuting policies and procedures and\n     its progress in implementing the requirements of NIST SP 800-46 Revision 1, \xe2\x80\x9cGuide to\n     Enterprise Telework and Remote Access Security.\xe2\x80\x9d In FY 2011, the OCIO developed an\n     updated remote access policy. The new policy contains all of the critical elements\n     required by the NIST guide.\n\n     We also evaluated OPM\xe2\x80\x99s progress in enforcing two-factor authentication for remote\n     users.\n\n     a) Authentication requirements\n\n        OPM utilizes a Virtual Private Network (VPN) client to provide remote users with\n        secure access to the agency\xe2\x80\x99s network environment. The VPN requires users to\n        uniquely identify and authenticate themselves, and the OCIO maintains logs of\n        individuals who remotely access the network. The logs are reviewed on a monthly\n        basis for unusual activity or trends.\n\n        In FY 2009, OPM required two-factor authentication for remote access in the form of\n        RSA token devices in combination with a password. However, the agency stopped\n        enforcing two-factor authentication in FY 2010 and users were able to authenticate\n        with only a password. In FY 2011, the OCIO implemented the capability of using\n        Personal Identity Verification (PIV) cards along with a password for two-factor\n        authentication. However, there is still a subset of users who can access the network\n        remotely using only a static password.\n\n        Recommendation 11 (Rolled-Forward from 2010)\n        We recommend that CIO enforce two-factor authentication with PIV cards for all\n        remote access to its network environment.\n\n        OCIO Response:\n        \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following clarification\n        remarks. The OPM network is now configured for two factor authentication with\n        PIV cards and most remote users are using PIV cards for authentication. In\n\n\n\n                                           17\n\x0c         FY2012, we will continue to work on having the remaining users who are not using\n         PIV cards for authentication to comply with this requirement.\xe2\x80\x9d\n\nIX.   Identity and Access Management\n      The sections below detail OPM\xe2\x80\x99s account and identity management program.\n\n      a) Account management\n\n         OPM maintains policies related to management of user accounts for its local area\n         network (LAN) and its mainframe environments. Both policies contain procedures\n         for creating user accounts with the appropriate level of access as well as procedures\n         for removing access for terminated employees.\n\n         The OIG compared a list of recently terminated OPM employees to a list of active\n         LAN and mainframe users. We found that 17 employees maintained LAN access\n         after their termination date, and 7 users had multiple accounts. We found no issues of\n         mainframe users maintaining access after their termination.\n\n         OPM\xe2\x80\x99s human resources department is responsible for creating and distributing a\n         weekly list of terminated employees. This list is e-mailed directly to the mainframe\n         team. However, nobody from the LAN team is copied on the distribution. We were\n         not informed of any audits/reviews conducted on user accounts by the LAN team.\n         However, any audit activity is not sufficient as evidenced by the account violations\n         detected during our review.\n\n         Failure to promptly remove LAN access for terminated employees increases the risk\n         that individuals could gain unauthorized access to sensitive data stored on OPM\xe2\x80\x99s\n         network environment.\n\n         Recommendation 12\n         We recommend that all LAN accounts assigned to terminated employees be disabled.\n\n         OCIO Response:\n         \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following clarification.\n         Currently, LAN accounts assigned to terminated employees are disabled once the\n         information is provided to the Help Desk. However, there are occasions when the\n         help desk does not always receive timely notification of terminated employees.\xe2\x80\x9d\n\n         Recommendation 13\n         We recommend that all unnecessary duplicate user accounts be disabled.\n\n         OCIO Response:\n         \xe2\x80\x9cThe CIO concurs with this recommendation and will take the necessary corrective\n         action.\xe2\x80\x9d\n\n\n                                             18\n\x0c   Recommendation 14\n   We recommend that the human resources employee termination list be distributed to\n   all information system owners.\n\n   OCIO Response:\n   \xe2\x80\x9cThere is concurrence with this recommendation. [OPM Human Resources\n   (OPMHR)] has no objection in principle to supplying the separation list that is\n   currently distributed to some system owners to all system owners as identified by the\n   CIO; however, a quick review of the list shows some significant ownership issues.\n\n   1. OPMHR will review the ownership list in its\xe2\x80\x99 entirety and reserves the right to\n      make adjustments either based on its\xe2\x80\x99 personal knowledge of the system and its\xe2\x80\x99\n      ownership or after consultation with the listed owner.\n   2. There are multiple versions of the separation report. Due to the additional\n      number of recipients, OPMHR will work with the system owners to develop a\n      generic report to minimize the workload impact.\xe2\x80\x9d\n\n   OIG Reply:\n   We acknowledge the fact that OPMHR agrees to provide the termination list. In\n   order to fully address this recommendation, the OCIO must provide OPMHR with a\n   list of appropriate recipients.\n\n   Recommendation 15\n   We recommend that the OCIO implement a process to routinely audit all active user\n   accounts to search for terminated employees or duplicate accounts.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation and will take the necessary corrective\n   action.\xe2\x80\x9d\n\nb) Unauthenticated network devices\n\n   The OCIO maintains an inventory of user workstations and servers connected to the\n   OPM network environment. In FY 2010, the OCIO tested an automated tool that\n   would scan the network for rogue devices not associated with authenticated users.\n   The OCIO stated that \xe2\x80\x9cAn automated process to detect unauthenticated network\n   devices has been procured and is expected to be in place and operational in the third\n   quarter FY 2011.\xe2\x80\x9d However, this control has not yet been implemented.\n\n   Recommendation 16 (Rolled-Forward from 2010)\n   We recommend that the OCIO implement an automated process to detect\n   unauthenticated network devices.\n\n\n\n\n                                       19\n\x0c        OCIO Response:\n        \xe2\x80\x9cThe CIO concurs with this recommendation and will take the necessary corrective\n        action.\xe2\x80\x9d\n\nX.   Continuous Monitoring Management\n     The following sections detail OPM\xe2\x80\x99s controls related to continuous monitoring of the\n     security state of its information systems.\n\n     a) Continuous monitoring policy and procedures\n\n        OPM\xe2\x80\x99s Information Security and Privacy Policy Handbook states that the security\n        controls of all systems must be continuously monitored and assessed annually to\n        ensure continued effectiveness.\n\n        In FY 2011, the OCIO developed a Continuous Monitoring Working Group tasked with\n        implementing a continuous monitoring program at the agency. The working group has\n        developed a Concept of Operations (CONOPS) document that outlines the framework for\n        the planned continuous monitoring program.\n\n        Although the creation of the working group and the CONOPS indicates that the OCIO\n        has taken steps toward implementing a continuous monitoring program at OPM, this\n        project remains a work in progress.\n\n        Recommendation 17 (Rolled-Forward from 2010)\n        We recommend OPM develop a Continuous Monitoring Policy that outlines a\n        strategy for identifying information security controls that need continuous monitoring\n        as well as procedures for conducting the tests.\n\n        OCIO Response:\n        \xe2\x80\x9cThe CIO concurs with this recommendation and work is already underway to\n        develop an OPM Continuous Monitoring program which will include policies and\n        procedures.\xe2\x80\x9d\n\n     b) Common security controls\n\n        In FY 2011, the OCIO developed a catalog of information security controls that are\n        shared (\xe2\x80\x9ccommon\xe2\x80\x9d) with all of the agency\xe2\x80\x99s applications. Common security controls\n        do not need to be tested for individual applications \xe2\x80\x9cinheriting\xe2\x80\x9d these controls, as they\n        have already been certified at an agency-wide level. The existence of the common\n        controls catalog saves time and resources by eliminating the need for these controls to\n        be tested multiple times by each application that inherits them.\n\n        The current common controls catalog indicates that approximately 25% of the\n        security controls outlined in NIST SP 800-53 Revision 3, \xe2\x80\x9cRecommended Security\n\n\n                                             20\n\x0c         Controls for Federal Information Systems,\xe2\x80\x9d are common to all agency applications.\n         However, the vast majority of these common controls are related to policy or program\n         management. The current version of the catalog is incomplete, as it does not account\n         for the large number of technical controls that are common to applications residing on\n         one of OPM\xe2\x80\x99s several general support systems. The OCIO indicated that it intends to\n         update the catalog with additional common controls.\n\n         Recommendation 18 (Rolled-Forward from 2010)\n         We recommend that OPM create a comprehensive list of common security controls\n         and distribute this information to OPM program offices responsible for testing\n         individual applications.\n\n         OCIO Response:\n         \xe2\x80\x9cThe CIO does not concur with this recommendation and offers the following\n         clarifying remarks. In FY2011, over 50 common controls were identified by the\n         CISO and independently tested by the Bureau of Public Debt [BPD]. These\n         common security controls were published August 2011 on THEO and is available\n         to all OPM program offices. In FY2012, we will identify and independently test\n         additional security controls that are candidates for common control status.\xe2\x80\x9d\n\n         OIG Reply:\n         The majority of controls contained within OPM\xe2\x80\x99s catalog are related to policies and\n         procedures. We continue to assert that the current version of the catalog is\n         incomplete, as it does not account for the large number of technical controls that are\n         common to applications residing on one of OPM\xe2\x80\x99s several general support systems.\n         The current OPM common controls catalog adds minimal value to the main objective\n         of a comprehensive catalog: saving time and resources by eliminating the need for\n         these controls to be tested multiple times by each application that inherits them.\n\n         We continue to recommend that OPM create a comprehensive list of common\n         security controls and distribute this information to OPM program offices responsible\n         for testing individual applications. We will consider this recommendation to be\n         implemented when the common controls catalog contains the technical controls\n         provided by OPM general support systems.\n\nXI.   Contingency Planning\n      OPM\xe2\x80\x99s Information Security Privacy and Policy Handbook requires a contingency plan\n      to be in place for each federal information system. We verified that contingency plans\n      exist for all 48 production systems on OPM\xe2\x80\x99s master system inventory.\n\n      In prior OIG FISMA audits, we noted that the quality and consistency of contingency\n      plans varied greatly between OPM\xe2\x80\x99s various systems. As a result, the OCIO developed a\n      contingency plan template that all system owners are now required to use. The new\n      template closely follows the guidance of NIST SP 800-34, Contingency Planning Guide\n\n\n                                             21\n\x0cfor Information Technology Systems. Use of the new template is required for all systems\nthat start the security authorization process after January 2011. As of August 2011, only\nsix systems have conducted an authorization using the new guidance. The quality and\nconsistency of the contingency plans appears to be improving with the use of the new\ntemplate.\n\na) Testing contingency plans of individual OPM systems\n\n   OPM\xe2\x80\x99s Information Security Privacy and Policy Handbook requires that \xe2\x80\x9cThe\n   contingency plan for the information system is tested and/or exercised at least\n   annually using OPM defined and information system specific tests and exercises. . . .\xe2\x80\x9d\n   We received evidence that contingency plans were tested for only 40 of 48 systems in\n   FY 2011.\n\n   Of the contingency plan tests we did receive, we continue to notice inconsistency in\n   the quality of the documentation produced for various OPM systems. One of the\n   main areas of inconsistency relates to the contingency plan test after action report.\n   NIST SP 800-34 states that following a contingency plan test, \xe2\x80\x9cresults and lessons\n   learned should be documented and reviewed by test participants and other personnel\n   as appropriate. Information collected during the test and post-test reviews that\n   improve plan effectiveness should be incorporated into the contingency plan.\xe2\x80\x9d\n   Several after action reports we reviewed did not include summarized results or\n   lessons learned. Without a thoroughly documented after action report, system owners\n   will not know how to improve the contingency plan in order to be better prepared for\n   a disruptive event.\n\n   These inconsistencies were the result of the program offices not having adequate\n   guidance for conducting contingency plan tests at the time the tests were completed.\n   The OCIO recently issued detailed guidance to program offices on how to conduct a\n   contingency plan test and create an after action report. As part of the FY 2012\n   FISMA audit, we will test the impact that this new guidance has on the quality of\n   system level contingency plan tests.\n\n   Recommendation 19 (Rolled-Forward from 2008)\n   We recommend that OPM\xe2\x80\x99s program offices test the contingency plans for each\n   system on an annual basis. The contingency plans should be immediately tested for\n   the 8 systems that were not subject to adequate testing in FY 2011.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation.\xe2\x80\x9d\n\nb) Agency-wide coordination of contingency plan testing\n\n   Many OPM systems reside on one of the agency\xe2\x80\x99s general support systems. While\n   the contingency plans for these general support systems are tested on an individual\n   basis, there is no coordinated contingency plan or disaster recovery test. A\n\n\n                                       22\n\x0c        coordinated test is critical because there are several applications that have elements or\n        modules spread across multiple general support systems. Without some form of\n        centralized approach to contingency plan testing there is a risk that OPM systems will\n        not be successfully recovered in the event of a disaster.\n\n        The agency has also not completed an agency-wide business impact analysis (BIA).\n        OPM\xe2\x80\x99s Security Assessment and Authorization Guide states that \xe2\x80\x9cIn order to properly\n        develop a [Contingency Plan], a Business Impact Analysis must first be conducted.\n        The BIA provides the necessary risk determinations to develop the system\n        contingency plan.\xe2\x80\x9d OPM is in the process of creating an agency-wide BIA, but this\n        was not completed in FY 2011. Without a BIA, the agency cannot adequately\n        prioritize the recovery of agency systems to facilitate a successful disaster recovery\n        process.\n\n        Recommendation 20\n        We recommend that the OCIO conduct an agency-wide Business Impact Analysis.\n\n        OCIO Response:\n        \xe2\x80\x9cThe CIO concurs with this recommendation and will take the necessary corrective\n        action.\xe2\x80\x9d\n\n        Recommendation 21\n        We recommend that the OCIO implement and document a centralized (agency-wide)\n        approach to contingency plan testing.\n\n        OCIO Response:\n        \xe2\x80\x9cThe CIO concurs with this recommendation but seeks clarifying information from\n        the OIG on this recommendation.\xe2\x80\x9d\n\n        OIG Reply:\n        We will provide the OCIO additional information on this recommendation, but the\n        details will not be contained within this audit report.\n\nXII. Contractor Systems\n     OPM\xe2\x80\x99s master system inventory indicates that 16 of the agency\xe2\x80\x99s 48 major applications\n     are operated by a contractor.\n\n     We evaluated the methods that various program offices use to maintain oversight of their\n     systems run by contractors. In response to a FY 2010 FISMA audit recommendation\n     regarding oversight of contractor-operated systems, the OCIO created a Site Survey\n     Assessment form that program offices had to complete for all contractor-operated\n     systems. The survey asked the program office to comment on the security controls in\n     place at the contractor facilities. The survey was a positive step in providing oversight\n\n\n                                             23\n\x0c     over contractor-operated systems. Although the program offices appeared to provide an\n     adequate level of oversight to contractor-operated systems, the techniques and quality of\n     this oversight was inconsistent between program offices. This inconsistency is the result\n     of OPM not having an agency-wide policy related to oversight of contractor systems.\n\n     Recommendation 22\n     We recommend that, in addition to the Site Survey Assessment Form, OPM develop a\n     policy providing guidance on adequate oversight of contractor-operated systems.\n\n     OCIO Response:\n     \xe2\x80\x9cThe CIO partially concurs with this recommendation and believes that existing\n     security policy also applies to contractor systems as documented under the Federal\n     Information Security Management Act of 2002. However, the CIO believes that\n     additional policy clarifications would be beneficial to improving security for OPM\n     contractor systems and will update policy accordingly.\xe2\x80\x9d\n\n     OIG Reply:\n     Although OPM\xe2\x80\x99s IT Security Handbook may apply to contractors, we determined that the\n     techniques and quality of oversight provided to contractor systems was inconsistent\n     between program offices. This inconsistency is the result of OPM not having an agency-\n     wide policy providing program offices guidance on overseeing the activities of\n     contractors operating OPM systems. We continue to recommend that the OCIO develop\n     policies to address oversight of contractor systems.\n\nXIII. Security Capital Planning\n     NIST SP 800-53 section SA-2, Allocation of Resources, states that an organization needs\n     to determine, document, and allocate the resources required to protect information\n     systems as part of its capital planning and investment control process.\n\n     OPM\xe2\x80\x99s Information Security and Privacy Policy Handbook contains policies and\n     procedures to ensure that information security is addressed in the capital planning and\n     investment process. The OCIO uses Exhibit 53B to record information security resources\n     allocation and submits this information annually to OMB.\n\n     Nothing came to our attention to indicate that OPM does not maintain an adequate capital\n     planning and investment program for information security.\n\nXIV. Follow-up of Prior OIG Audit Recommendations\n\n     All audit recommendations issued prior to 2010 were rolled forward into one of the\n     recommendations in the FY 2010 OIG FISMA audit report (Report 4A-CI-00-10-019).\n     FY 2010 recommendations that were not remediated by the end of FY 2011 are rolled\n     forward with a new recommendation number in this FY 2011 OIG FISMA audit report.\n\n\n\n                                             24\n\x0cThe prior sections of this report evaluate the current status of many 2010\nrecommendations. However, there are several recommendations that have not yet been\naddressed because the related topics were not part of the FY 2011 FISMA reporting\ninstructions. These remaining recommendations are addressed in the sections below.\n\nNote - Audit recommendations issued prior to FY 2010 reference OPM\xe2\x80\x99s Center for\nInformation Services (CIS) as the program office responsible for the agency\xe2\x80\x99s IT security\nprogram. After an organizational realignment, this group is now referred to as the Office\nof the Chief Information Officer (OCIO).\n\nFollow-up on recommendations issued in OIG Audit Report 4A-CI-00-10-019,\n\xe2\x80\x9cFederal Information Security Management Act Audit \xe2\x80\x93 FY 2010\xe2\x80\x9d\n\na) 4A-CI-00-10-019 Recommendation 3\n   We recommend that the OCIO develop and implement an active strategy to maintain\n   up-to-date information regarding OPM\xe2\x80\x99s master system inventory.\n\n   FY 2011 Status\n   The OCIO conducted an inventory survey of OPM program offices in FY 2010.\n   However, one program office has not yet responded to the survey. This\n   recommendation remains open and is rolled forward in FY 2011.\n\n   Recommendation 23 (Rolled-Forward from 2010)\n   We recommend that the OCIO develop and implement an active strategy to maintain\n   up-to-date information regarding OPM\xe2\x80\x99s master system inventory.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO does not concur with this recommendation and believes that existing\n   methods for maintaining the OPM master systems inventory are adequate. These\n   methods consist of requiring DSOs to provide monthly system inventory updates to\n   the CISO and the CISO conducts an annual survey to identify systems at contractor\n   facilities, other Federal agencies or internal to OPM.\xe2\x80\x9d\n\n   OIG Reply:\n   One OPM program office has not responded to the OCIO\xe2\x80\x99s survey regarding\n   information system inventory. Without full participation from OPM program offices,\n   the OCIO\xe2\x80\x99s approach of identifying information systems via surveys is not adequate.\n\nb) 4A-CI-00-10-019 Recommendation 33 (Roll-forward from OIG Report 4A-CI-00-09-\n   031 Recommendation 1)\n   We recommend that CIS conduct a survey of OPM program offices (particularly the\n   Benefits Systems Group) to identify any systems that exist but do not appear on the\n   system inventory. The systems discovered during this survey should be promptly\n   added to the system inventory and certified and accredited.\n\n\n\n\n                                       25\n\x0c   FY 2011 Status\n   The OCIO conducted an inventory survey of OPM program offices in FY 2010.\n   However, one program office has not yet responded to the survey. This\n   recommendation remains open and is rolled forward in FY 2011.\n\n   Recommendation 24 (Rolled-Forward from 2009)\n   We recommend that CIS conduct a survey of OPM program offices to identify any\n   systems that exist but do not appear on the system inventory. The systems discovered\n   during this survey should be promptly added to the system inventory and certified and\n   accredited.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following clarifying\n   remarks. In FY2011, we conducted a survey of OPM program offices to identify\n   systems that should be added to the system inventory. In FY2012, we plan to\n   conduct another survey and identified systems will be added to the system\n   inventory.\xe2\x80\x9d\n\n   OIG Reply:\n   If the OCIO does not receive full participation by OPM program offices to the 2012\n   survey, we recommend that they develop a new methodology for identifying\n   information systems owned by the agency.\n\nc) 4A-CI-00-10-019 Recommendation 35 (Roll-forward from OIG Report 4A-CI-00-09-\n   031 Recommendation 4)\n   We recommend that CIS conduct a survey to determine how many systems owned by\n   another agency are used by OPM.\n\n   FY 2011 Status\n   The OCIO conducted an inventory survey of OPM program offices in FY 2010. We\n   discovered that one program office did not respond to the survey. This\n   recommendation remains open and is rolled forward in FY 2011.\n\n   Recommendation 25 (Rolled-Forward from 2009)\n   We recommend that CIS conduct a survey to determine how many systems owned by\n   another agency are used by OPM.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following clarifying\n   remarks. In FY2011, we conducted a survey of OPM program offices to identify\n   systems owned by another agency and used by OPM. In FY2012, we plan to\n   conduct another survey and identified systems will be added to the system\n   inventory.\xe2\x80\x9d\n\n\n\n\n                                      26\n\x0c   OIG Reply:\n   If the OCIO does not receive full participation by OPM program offices to the 2012\n   survey, we recommend that they develop a new methodology for identifying\n   information systems owned by the agency.\n\nd) 4A-CI-00-10-019 Recommendation 37 (Roll-forward from OIG Report 4A-CI-00-09-\n   031 Recommendation 20)\n   We recommend that a new PIA be conducted for the appropriate systems based on the\n   updated PIA Guide.\n\n   FY 2011 Status\n   All agency systems have not completed a PIA using the new format. This\n   recommendation remains open and is rolled forward in FY 2011.\n\n   Recommendation 26 (Rolled-Forward from 2009)\n   We recommend that a new PIA be conducted for the appropriate systems based on the\n   updated PIA Guide.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following remarks. All\n   PIAs with the exception of four were updated to reflect the new PIA Guide. We will\n   take corrective action to ensure that the remaining four are updated.\xe2\x80\x9d\n\ne) 4A-CI-00-10-019 Recommendation 38 (Roll-forward from OIG Report 4A-CI-00-09-\n   031 Recommendation 21\n   We recommend that each system owner annually review the existing PIA for their\n   system to reevaluate current holdings of PII, and that they submit evidence of the\n   review to the OCIO.\n\n   FY 2011 Status\n   All agency systems have not completed a PIA using the new format and therefore\n   cannot adequately reevaluate their current holdings of PII. This recommendation\n   remains open and is rolled forward in FY 2011.\n\n   Recommendation 27 (Rolled-Forward from 2009)\n   We recommend that each system owner annually review the existing PIA for their\n   system to reevaluate current holdings of PII, and that they submit evidence of the\n   review to the OCIO.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO does not concur with this recommendation and believes that all PIAs\n   were reviewed by system owners in FY2011.\xe2\x80\x9d\n\n\n\n\n                                       27\n\x0c   OIG Reply:\n   Four systems do not have current PIAs; therefore all PIAs were not reviewed by\n   system owners in FY 2011.\n\nf) 4A-CI-00-10-019 Recommendation 39 (Roll-Forward from OIG Reports 4A-CI-00-\n   09-031 Recommendation 22 and 4A-CI-00-08-022 Recommendation 12)\n   We recommend that OPM continue its efforts to eliminate the unnecessary use of\n   SSNs in accordance with OMB Memorandum M-07-16.\n\n   FY 2011 Status\n   The OCIO has an ongoing plan to reduce and eventually eliminate the unnecessary\n   use of SSNs. However, resource limitations prevented them from completing this\n   task in FY 2011. This recommendation remains open and is rolled forward in FY\n   2011.\n\n   Recommendation 28 (Rolled-Forward from 2008)\n   We recommend that OPM continue its efforts to eliminate the unnecessary use of\n   SSNs in accordance with OMB Memorandum M-07-16.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO concurs with this recommendation and offers the following clarifying\n   remarks. OPM currently does not have the funding to effectively pursue the\n   elimination of unnecessary use of SSN\'s as stated in OMB memorandum M-07-16.\n   Efforts are made when the unnecessary use of SSN is discovered in PTA and PIA\n   documentation and efforts are explored with the program office for alternatives.\n   OPM does comply with the requirement to meet regularly with other federal\n   agencies on this effort.\xe2\x80\x9d\n\ng) 4A-CI-00-10-019 Recommendation 40 (Roll-Forward from OIG Report 4A-CI-00-\n   09-031 Recommendation 27)\n   We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language\n   in all contracts related to common security settings.\n\n   FY 2011 Status\n   The OCIO is in the process of incorporating Federal Acquisition Regulation 2007-\n   004 language in all contracts related to common security settings. However, they did\n   not finish this process in FY 2011. This recommendation remains open and is rolled\n   forward in FY 2011.\n\n   Recommendation 29 (Rolled-Forward from 2009)\n   We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language\n   in all contracts related to common security settings.\n\n\n\n\n                                      28\n\x0cOCIO Response:\n\xe2\x80\x9cThe CIO concurs with this recommendation and will take the necessary corrective\naction.\xe2\x80\x9d\n\n\n\n\n                                 29\n\x0c                                Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\xe2\x80\xa2                 IT Auditor\n\xe2\x80\xa2                    , IT Auditor\n\xe2\x80\xa2                , IT Auditor\n\n\n\n\n                                              30\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n\n                                                      Wa:-lhingtol1, DC 20415\n\n\n\nChief Information\n     Officer\n\n\n\n        MEMORANDUM FOR\n                                   CHIEF\n                                   INFORMAT ION SYSTEMS AUDIT GROUP\n                                                                                                          t!2\n        FROM:\t                     MATrHEW E. PERRY                                 ~?;~\n                                   CHIEF INFORMATION                 OFFICE~~ I s\xc2\xbb f;\n        Subject:\t                  Response to the Federal Information Security Managemen t Act\n                                   Audit - FY201 I, Report NO. 4A-CI-00- I 1-009\n\n        Tha nk you for the opportunity to commen t on thc subject report. The results prov ided in thc\n        draft report consist of a number of recommendations. The recommendations arc valuable to our\n        program improve ment efforts and most of them are generally consistent with our plan. We plan\n        to continue making improvements in our security risk management strategy and thc OpM IT\n        security progra m.\n\n        O IG Reco mmendations:\n\n        Recommend a tion 1\n        We recom me nd that the OCIO deve lop policies to ad dress oversight of contractor syste ms,\n        IV & V, and conti nnons monito r ing of high risk secnr ity controls.\n\n        The CIa partially concurs with this recommendation and offers clarifying remarks in order to\n        present a more current interpretation . The policies in the IT Security Handbook dated March 3 1,\n        20 I I apply to all OpM systems including those at contractor facilities and therefore a new policy\n        for oversight of contractor systems is not necessary. The CIa believes that new policies for\n        IV& V and continuous monitoring of high risk security controls should be developed and would\n        be beneficia l to the OpM security program.\n\n        Recommendat ion 2 (Ro lled-Forward fro", 2010)\n        We rec omme nd th at OPl\\I impleme nt a cent ra lized informa tion security governance\n        struct ure whe re all informa tion secur ity pra ctition ers, including designated security\n        officers, re port to th e SAISO . Adeq uate resources should be ass igned to th e OCIO to\n        create this struct ure. Ex isti ng designat ed security officers who re port to their pro gram\n        offices should return to their program office duties. The new staff that re ports to the\n        SAISO should consist of expe rienced iuformation security pro fessionals.\n\n        The Clf) concurs with this recommendation and offers the following remarks. The CIa\'s budget\n        does not contain funding to replace the Designated Security Officers with informat ion security\n\n\n\n\n        ww wopm.qcv       Recrui t. Retain and Honor a World-Class Workforce In Serve the Am erican Peopl e   www.usajobs.go\\l\n\x0cprofessionals. One possible suggestion is to require OPM program offices to provide funding for\nthe CIO to hire information security professionals.\n\nRecommendation 3\nWe recommend that the OCIO work with program offices to correct the specific errors\nthat the OIG identified in the Authorization packages reviewed in FY 2011.\n\nThe CIO Concurs with this recommendation and will take corrective action.\n\nRecommendation 4 (Rolled-Forward (rom 2010)\n\nWe recommend that the OCIO assign additional resources to facilitate the Authorization\n\nprocess to ensure the consistency and quality of Authorization packages developed by OPM\n\nprogram offices.\n\n\nThe CIO concurs with this recommendation and believes that additional security resources could\nimprove the security authorization process. However, funding is not allocated in the CIa budget\nto hire additional resources.\n\nRecommendation 5\nWe recommend that the OCIO develop policies and procedures related to managing risk\nfrom an agency-wide perspective.\n\nThe CIa does not concur with this recommendation and believes that adequate policies and\nprocedures are in place to manage risk from an agency-wide perspective as documented in\nsections 3.1.9 and 3.1.7 of the IT Security Handbook dated March 31, 2011.\n\nRecommendation 6\nWe recommend that the OCIO continue to develop its Risk Executive Function to meet all\nof the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive\n(Function).\n\nThe CIa concurs with this recommendation and will take the necessary corrective action.\n\nRecommendation 7 (Rolled-Forward (rom 2008)\n\nWe recommend that OPM ensure that an annual test of security controls has been\n\ncompleted for all systems.\n\n\nThe CIO concurs with this recommendation and offers the following clarifying remarks in order\nto present a more current interpretation. In FY2011 security controls testing was completed for\n41 of 48 eligible systems resulting in an 85% compliance rate. In FY2012, we will continue to\nwork with program offices to ensure that security controls are tested for all eligible systems.\n\nRecommendation 8\nWe recommend that OCIO implement a process for tracking the status of weaknesses\nidentified through vulnerability scanning.\n\n\n                                               2\n\x0cThe CIO concurs with this recommendation and will implement the necessary corrective action.\n\nRecommendation 9\nWe recommend that OCIO document "accepted" weaknesses identified in vulnerability\nscans.\n\nThe CIO concurs with this recommendation and will implement the necessary corrective action.\n\nRecommendation 10 (Rolled-Forward (rom 2010)\n\nWe continue to recommend that the OCIO ensure that all employees with significant\n\ninformation security responsibility take meaningful and appropriate specialized security\n\ntraining on an annual basis.\n\n\nThe CIO concurs with this recommendation and offers the following clarifying remarks. In\nFY20 11, we redesigned the OPM specialized security training program as part of our risk\nmanagement strategy and to improve accuracy. We achieved a success rate of75% and for the\nfirst time identified and required Executives and senior staff serving as Authorizing Officials and\nSystem Owners to complete the required training.\n\nRecommendation 11 (Rolled-Forward (rom 2010)\n\nWe recommend that CIO enforce two-factor authentication with PIV cards for all remote\n\naccess to its network environment.\n\n\nThe CIO concurs with this recommendation and offers the following clarification remarks. The\nOPM network is now configured for two factor authentication with PIV cards and most remote\nusers are using PIV cards for authentication. In FY2012, we will continue to work on having the\nremaining users who are not using PIV cards for authentication to comply with this requirement.\n\nRecommendation 12\n\nWe recommend that all LAN accounts assigned to terminated employees be disabled.\n\n\nThe CIO concurs with this recommendation and offers the following clarification. Currently,\nLAN accounts assigned to terminated employees are disabled once the information is provided to\nthe Help Desk. However, there are occasions when the help desk does not always receive timely\nnotification of terminated employees.\n\nRecommendation 13\n\nWe recommend that all unnecessary duplicate user accounts be disabled.\n\n\nThe CIa concurs with this recommendation and will take the necessary corrective action.\n\nRecommendation 14\nWe recommend that the human resources employee termination list be distributed to all\ninformation system owners.\n\n\n                                                 3\n\x0cThere is concurrence with this recommendation. OPMHR has no objection in principle to\nsupplying the separation list that is currently distributed to some system owners to all system\nowners as identified by the CIO; however, a quick review of the list shows some significant\nownership issues.\n\n    1.\t   OPMHR will review the ownership list in its\' entirety and reserves the right to make\n       adjustments either based on its\' personal knowledge of the system and its\' ownership or\n       after consultation with the listed owner.\n   2.\t    There are multiple versions of the separation report. Due to the additional number of\n       recipients, OPMHR will work with the system owners to develop a generic report to\n       minimize the workload impact.\n\n\nWe wish to state that receipt of this report may not facilitate the earliest termination of network\naccounts for the following reasons:\n\n    1.\t    HR relies on individual organizations to submit separation actions for their\n       employees. We do not know when someone leaves the agency until we receive that\n       notification.\n   2.\t    In the case of employees who transfer to another agency, published government-wide\n       guidance states that the employee cannot be removed from the rolls until positive\n       evidence of the transfer from the gaining agency is received. In those cases we are at the\n       mercy of the other agency to notify us. It is not unusual for it to take months to receive\n       this notification.\n\nSeveral years ago the agency\'s Exit Clearance Process was reviewed and revised based on this\n\nvery issue. An agency-wide working group was pulled together to review the process and come\n\nup with a workable solution. The responsibility for clearing an employee from the building\n\nrested with the employee\'s supervisor and they were responsible for making sure that any\n\nequipment was returned as well as their employee ID was turned it. You might want to think\n\nabout revisiting that process at this time.\n\n\nRecommendation 15\n\nWe recommend that the OCIO implement a process to routinely audit all active user\n\naccounts to search for terminated employees or duplicate accounts.\n\n\nThe CIa concurs with this recommendation and will take the necessary corrective action.\n\n\nRecommendation 16 (Rolled-Forward (rom 2010)\n\nWe recommend that the OCIO implement an automated process to detect unauthenticated\n\nnetwork devices.\n\n\nThe CIO concurs with this recommendation and will take the necessary corrective action.\n\n\n\n\n\n                                                  4\n\n\x0cRecommendation 17 (Rolled-Forward (rom 2010)\n\nWe recommend OPM develop a Continuous Monitoring Policy that outlines a strategy for\n\nidentifying information security controls that need continuous monitoring as well as\n\nprocedures for conducting the tests.\n\n\nThe CIa concurs with this recommendation and work is already underway to develop an aPM\nContinuous Monitoring program which will include policies and procedures.\n\nRecommendation 18 (Rolled-Forward (rom 2010)\n\nWe recommend OPM create a list of common security controls and distribute this\n\ninformation to OPM program offices responsible for testing individual applications.\n\n\nThe CIa does not concur with this recommendation and offers the following clarifying remarks.\nIn FY2011, over 50 common controls were identified by the CISa and independently tested by\nthe Bureau of Public Debt. These common security controls were published August 2011 on\nTHEa and is available to all aPM program offices. In FY2012, we will identify and\nindependently test additional security controls that are candidates for common control status.\n\nRecommendation 19 (Rolled-Forward (rom 2008)\n\nWe recommend that OPM\'s program offices test the contingency plans for each system on\n\nan annual basis. The contingency plans should be immediately tested for the 28 systems\n\nthat were not subject to adequate testing in FY 2011.\n\n\nThe CIa concurs with this recommendation and offers the following clarifying remarks in order\nto present a more current interpretation. In FY2011 contingency plan testing was completed for\n40 of 48 eligible systems resulting in an 83% compliance rate. In FY2012, we will continue to\nwork with program offices to ensure that contingency plan testing is conducted for all eligible\nsystems.\n\nRecommendation 20\n\nWe recommend that the OCIO conduct an agency-wide Business Impact Analysis.\n\n\nThe CIa concurs with this recommendation and will take the necessary corrective action\n\nRecommendation 21\nWe recommend that OCIO implement and document a centralized (agency-wide) approach\nto contingency plan testing.\n\nThe CIa concurs with this recommendation but seeks clarifying information from the aIG on\nthis recommendation.\n\n\nRecommendation 22\nWe recommend that, in addition to the Site Survey Assessment Form, OPM develop a\npolicy providing guidance on adequate oversight of contractor-operated systems.\n\n\n                                                5\n\n\x0cThe CIO partially concurs with this recommendation and believes that existing security policy\nalso applies to contractor systems as documented under the Federal Information Security\nManagement Act of 2002. However, the CIO believes that additional policy clarifications would\nbe beneficial to improving security for OPM contractor systems and will update policy\naccordingly.\n\nRecommendation 23 (Rolled-Forward (rom 2010)\n\nWe recommend that the OCIO develop and implement an active strategy to maintain up\xc2\xad\n\nto-date information regarding OPM\'s master system inventory.\n\n\nThe CIO does not concur with this recommendation and believes that existing methods for\nmaintaining the OPM master systems inventory are adequate. These methods consist of\nrequiring DSOs to provide monthly system inventory updates to the CISO and the CISO\nconducts an annual survey to identify systems at contractor facilities, other Federal agencies or\ninternal to OPM.\n\nRecommendation 24 (Rolled-Forward (rom 2009)\n\nWe recommend that CIS conduct a survey of OPM program offices to identify any systems\n\nthat exist but do not appear on the system inventory. The systems discovered during this\n\nsurvey should be promptly added to the system inventory and certified and accredited.\n\n\nThe CIO concurs with this recommendation and offers the following clarifying remarks. In\nFY2011, we conducted a survey ofOPM program offices to identify systems that should be\nadded to the system inventory. In FY2012, we plan to conduct another survey and identified\nsystems will be added to the system inventory.\n\nRecommendation 25 (Rolled-Forward (rom 2009)\n\nWe recommend that CIS conduct a survey to determine how many systems owned by\n\nanother agency are used by OPM.\n\n\nThe CIO concurs with this recommendation and offers the following clarifying remarks. In\n\nFY2011, we conducted a survey ofOPM program offices to identify systems owned by another\n\nagency and used by OPM. In FY2012, we plan to conduct another survey and identified systems\n\nwill be added to the system inventory.\n\n\nRecommendation 26 (Rolled-Forward (rom 2009)\n\nWe recommend that a new PIA be conducted for the appropriate systems based on the\n\nupdated PIA Guide.\n\nThe CIO concurs with this recommendation and offers the following remarks. All PIAs with the\n\nexception of four were updated to reflect the new PIA Guide. We will take corrective action to\n\nensure that the remaining four are updated.\n\n\nRecommendation 27 (Rolled-Forward (rom 2009)\n\n\n\n\n                                                 6\n\n\x0cWe recommend that each system owner annually review the existing PIA for their system\nto reevaluate current holdings of PH, and that they submit evidence of the review to the\nOCIO.\n\nThe CIa does not concur with this recommendation and believes that all PIAs were reviewed by\nsystem owners in FY20II.\n\nRecommendation 28 (Rolled-Forward (rom 2008)\n\nWe recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in\n\naccordance with OMB Memorandum M-07-16.\n\n\nThe CIO concurs with this recommendation and offers the following clarifying remarks. OPM\ncurrently does not have the funding to effectively pursue the elimination of unnecessary use of\nSSN\'s as stated in aMB memorandum M-07-I6. Efforts are made when the unnecessary use of\nSSN is discovered in PTA and PIA documentation and efforts are explored with the program\noffice for alternatives. OPM does comply with the requirement to meet regularly with other\nfederal agencies on this effort.\n\nRecommendation 29 (Rolled-Forward (rom 2009)\n\nWe recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in all\n\ncontracts related to common security settings.\n\n\nThe CIa concurs with this recommendation and will take the necessary corrective action.\n\n\n\n\n                                               7\n\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'